Insecure At Any Speed: Are Automakers Failing The Software Crash Test?

Editor’s Note: You can view the rest of my conversation about application and supply chain security, featuring Joshua Corman of Akamai and Chris Wysopal of Veracode by visiting Veracode’s web site. – PFR

You’re in the market for a new car, and you’ve made a list of the features you want: a cool, tablet style interface for the audio and navigation system, side impact airbags for the front and rear compartment, a pop-up third row of seating. Heck, maybe you even want to hold out for the automatic seat temperature control that some Lexus cars now come with. While you’re at it, how about some secure software, too?

Researchers from IOActive demonstrated a hack of a Toyota Prius. (Photo courtesy of Ars Technica.)

“The difference between safety and security is that, with security, there’s an adversary,” said Wysopal. “That’s very hard for these engineers to understand. They don’t understand that there are people out there who want to do bad things to their system, and they don’t understand how they can do those bad things.”

“They’re thinking ‘is there a password to access the system? Is there authorization so one person can’t access another’s account?”‘ Wysopal told The Security Ledger. But true application security is a much broader problem that takes into account the “failure modes” of the software and how they could be exploited to gain control over the operation of a system, he said.

Joshua Corman, the Director of Security Intelligence at Akamai Technologies, said that the advent of security as an issue for products like automobiles is akin to the safety revolution in the 1960s, 70s and 80s, as regulators mandated features like seat belts in cars, often over the objections of car makers.

“The auto industry thought safety would destroy innovation and cost too much and buyers would hate it,” Corman said. “Today you have the five star crash rating system and if you want a really safe car for your kid, you have signals to help you steer that and price it. I can’t tell you the difference between a two star and a three star rating, but I can tell you I probably want a three.”

Alas, security complex software applications is harder than installing a seat belt in a car, and Corman says that there’s currently little incentive for software makers to “take security seriously.”